Aug 26, 2015

Why are Law Firms Beginning to Form Data Breach Practice Groups?

“33% of Fortune 100 Organizations will experience an information crisis by 2017.” – Gartner, an information technology research and advisory firm Recently, data breaches have become one of the most serious threats to companies worldwide, and as more corporate infrastructure moves online, studies suggest that the rising number of data breaches will cost 2.1 trillion...

Your Host

John W. Simek is vice president of the digital forensics and security firm Sensei Enterprises. He is a nationally...

“33% of Fortune 100 Organizations will experience an information crisis by 2017.” – Gartner, an information technology research and advisory firm

Recently, data breaches have become one of the most serious threats to companies worldwide, and as more corporate infrastructure moves online, studies suggest that the rising number of data breaches will cost 2.1 trillion dollars globally by 2019. Because of this, a new market of data breach practice groups has emerged to assist with e-discovery, information governance, data security, and preparation for high-risk technological emergencies. In light of this, what should your law firm or company do to prepare for one of these potentially imminent situations?

In this episode of Digital Detectives, Sharon Nelson and John Simek interview Martin Tully, co-chair of Akerman LLP’s Data Law Practice, about why his firm decided to implement a data breach law group, how data security fits in with current e-discovery and information governance practices, and what every company should include in an incident response plan.

Company interests: preparation for data loss, litigation, and government inquiry

How to proceed during “the upchuck hour”

Reasons for the increase in data breaches

Who and what should be involved in the incident response plan

Simulated data breach exercises

A lack of data security in many law firms

Martin T. Tully is a partner with the Chicago office of Akerman LLP. He is veteran trial lawyer with more than two decades of experience representing domestic and multinational companies in a variety of complex commercial litigation matters. As the co-chair of Akerman’s Data Law Practice, Martin also focuses on keeping clients ahead of the curve regarding the developing law, technology and best practices related to e-discovery, information governance and data security.

Full Transcript

Advertiser: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you could use in your law practice. Right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 59th edition of Digital Detectives, we’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises.

John W. Simek: And I’m John Simek, vice president of Sensei Enterprises. Today on Digital Detectives, our topic is, Law Firms Begin Forming Data Breach Practice Groups. We’re delighted to welcome today’s guest. Martin T. Tully is a partner with the Chicago office of Akerman LLP. He is veteran trial lawyer with more than two decades of experience representing domestic and multinational companies in a variety of complex commercial litigation matters. As the co-chair of Akerman’s Data Law Practice, Martin also focuses on keeping clients ahead of the curve regarding the developing law, technology and best practices related to e-discovery, information governance and data security, whether in litigation, regulatory, or other context. He is an active member of the Sedona Conference Working Group 1, the 7th Circuit E-Discovery Pilot Program Committee, and the Trial Practice Courtroom Technology Sub Committee of the American Bar Association’s Technology for the Litigator Committee. Martin has written extensively on ediscovery, digital evidence, information governance and legal technology. Thanks for joining us today, Martin.

Martin T. Tully: Well thank you for having me Sharon and John. I’m delighted to join both of you today.

Sharon D. Nelson: Martin, the title of our podcast refers to data breach practice groups because we think data breaches have primarily been the driver for forming what your firm calls its data law group. Would you agree to that in general and was that a primary driver for your firm?

Martin T. Tully: Sharon, I would definitely agree that that was a driver as data security and data privacy are some of the fastest growing concerns of organizations of all types. There are a number of key studies that indicate this is a major and growing concern for just about every company and just about every company is affected. To give you an example with just a few stats, the average company experienced more than 91 million security events in 2013 according to the IBM Cyber Security Intelligence Index. 33% of Fortune 100 organizations will experience an information crisis by 2017 according to Gartner. And as more corporate infrastructure moves online, Juniper Research predicts that the rising number and impact of data breaches will cost 2.1 trillion dollars globally by 2019. That’s about four times the estimated cost of breaches in 2015. With stats like these, this just underscored to us the compelling reasons to gather the experience and expertise that we have in this area to meet our client needs even before they realize that they need them.

John W. Simek: Wow, that’s amazing stats. Martin, take us through the process of how your firm decided on this new law group, the size of it, the kind of expertise talents that you were looking for and exactly what do you folks do within your law firm.

Martin T. Tully: Sure, John. The good news is we already had an excellent ediscovery process at Akerman. And we were in the midst of expanding our information governance practice. And now seeing the growing demand that I just mentioned for data security and data privacy services. There just seemed to be a logical grouping of those areas of expertise. Now the purest will tell you that of course these are somewhat different disciplines, and you can put them in the following buckets: You can say that ediscovery is about finding, information governance is about managing, and data security and data privacy is about protecting data. But they’re obviously related enough that oftentimes a client who is either seeking or in need of assistance in one area often also needs or cannot afford not to consider more than one of them or all three of them. So it makes sense to us to put them all under one umbrella which we chose to call data law. It’s short, it’s sweet, and it conveys really what the practice is about. It’s about many of the legal issues that pertain to data, something that is ubiquitous and growing exponentially every single day in our environment. Our group here in Akerman, our data law practice group has over twenty lawyers in it, spanning nine different Akerman offices with the two coachers, myself and Jeff Sharer, based here in Chicago where I am at. The different members have different relevant experience, some more on the ediscovery side, some more on the information governance side and some on the data security incident response side. Some had more practical experience such as my twenty plus years of a complex commercial litigator in the trenches, and others have more technical experience. But collectively, our team is well positioned to keep our clients ahead of the curve with developing law, technology and best practices. And that kind of collective team approach to bringing different disciplines and experiences together is actually something that is very important with respect to addressing these issues within most of the clients we serve.

Sharon D. Nelson: So how do you see the data breach data privacy piece fitting in or co existing with the ediscovery and information governance practices that have been emerging over the past five to ten years?

Martin T. Tully: As mentioned, there is a relation between them, although they are a little bit different. But one of the things that they share in common is the client demand for legal services in these areas is increasing every year and showing no signs in slowing. They’re spiraling costs and risks inherent in electronic discovery as we all know. The proliferation of data privacy and security laws around the world and high profile data breaches occurring on a daily basis and the massive corporate data stores growing at unprecedented rates have all combined together to move data law from the back office to the board room. And it’s really achieved a whole new prominent. More specifically, the answer to your question Sharon, ediscovery practices, I would say, rose to prominence within the last ten years and were primarily focused on a matter of level requirements. The matter being a law suit, a subpoena, an investigation, and many would say that the need for them was driven by fear of sanctions. Information governance practices are really hot these days as the recession is more a distant thing in the rear view mirror of most companies and there’s a budget now to spend on information hygiene, as I like to call it. And we have more focus on organizational requirements in informational governance. And here, the driver is fear of costs and loss of control. Data security, data privacy, that’s the easiest one to explain. I usually don’t have to explain data security or data breach to someone whereas I usually have to explain to someone who’s not as familiar what ediscovery is and what information governance is. All you have to do is say data breach and just about anybody, anywhere, on the street corner, will know what you’re talking about. And most people will figure out that that’s very much akin to having your credit card stolen or even lost it, but the consequences are even worse. And here, the current need is really driven by fear of headlines and large liability. The thread that ties all these three things together is the need to understand its client’s data, systems and custodians in order to achieve superior results at reasonable costs. The things that we talk about in each of these areas such as education, conducting gap analysis to see where things can be improved, weighing risks, proportionality and prevention and cure, are common to all three of these areas. So I see them being very much in coexistence going forward as all three grow.

John W. Simek: So Martin, are you seeing this kind of movement only in law firms or also in non legal firms? And how do you see the two of them possibly working together going forward?

Martin T. Tully: I definitely see, because of the growing demand for services in all three of these areas, there are a number of different organizations and companies that are providing services in the state. Clearly, we all know of the numerous firms that are involved in the ediscovery space, both legal and nonlegal. That’s also arising in the information governance space as you see accounting firms and other consulting outfits providing information in governance consulting in a non legal environment. In the data security space, particularly because of the high profile breaches that we’ve had, there is an increased demand for technical companies, the ones that don’t provide legal advice but they are actually the ones that are finding out what the cause was of a breach or a loss and then figuring out what can be done within an organization’s systems and parameters to mitigate or avoid the chance of one in the future. what I predict is that we’re going to see more and more strategic partnerships amongst these different types of entities, legal and non legal and technical alike. Because really to bring a complete solution to most clients, there are different components that have to be bought to bear, and I don’t think any one of them can do it all. So I think you’re going to see a convergence of that and more collaboration in the future to better serve clients.

Sharon D. Nelson: Well I think you’ve certainly established that there is a rising need of request by clients for these kinds of services. But what kind of services seem to interest them most and how fast is this demand increasing?

Martin T. Tully: Well certainly with respect to matter or incident driven types of services, ediscovery and data security, it’s the event that drives a lot of the need. There’s a lawsuit, there’s a subpoena, there’s a government investigation of request for information. With a data breach, obviously if one occurs, if there’s a data loss then the net drives the net. But what we’re seeing now, post-recession, is more and more organizations starting to think proactively in this space. How do I avoid the next data breach? What do I do with the palettes of backup tapes that we have sitting in a warehouse somewhere? How do I better manage my workflows for the next piece of litigation so that I don’t have an enormous sticker shock when I get my invoice to me from my law firm or from my outside vendor? So we’re seeing and we’re finding that there’s spend in the budgets of more and more companies to look at these issues, whether it’s practicing good information hygiene, or reducing costs for serial litigants. We’re seeing requests for data remediation projects in the information governance space. This is the example where a client says, “I have all this stuff. Can you help me defensively get rid of it so that we can reduce our storage and other related costs for that data?” Ediscovery is mentioned where you’ll have, for example, a serial litigant that is in search of a better cost workflow. And in data security, it’s clients requesting a checkup, if you will, or a gap analysis, to figure out where do we stand in terms of our level of security, can we do better, what does it cost us, what’s the risk of not doing it and do we have a plan in place for responding to an incident should one occur.

John W. Simek: Well, Martin, around here, we find that the first client meeting after a data breach is aptly named the upchuck hour. So what has your experience been when you have to outline to clients how to proceed after a data reach? Especially for those who don’t have an incident response plan.

Martin T. Tully: I think the upchuck hour is probably a very polite way to describe it. There’s definitely a high risk of exaspirational paralysis when a client learns of an intrusion or a data breach or even the CEO’s laptop that was left in the back of a cab somewhere. But one has and one should invoke the remain calm and carry on motto with clients. As a litigator, I can tell you that these incidents can make a TRO proceeding seem tame by comparison because the high level of anxiety. But I’m reminded of Douglas Adams’s novel, the Hitchhiker’s Guide to the Galaxy, and on the cover of that device was imprinted the words, “Don’t panic.” It was put there because the device looked insanely complicated to operate and this language was on there partly to keep intergalactic travelers from panicking. Same as science fiction author Arthur C. Clarke said that Douglas Adams’s use of his phrase, “Don’t panic,” in his novel was perhaps the best advice that could be given to humanity. While taken out of the science fiction realm and into our realm, yes, this can appear to be insanely complicated to clients and also highly dangerous, but “Don’t panic,” is a good piece of advice. This is why an incident response plan is so key, because you really have to figure out what happened, what needs to be done, and that really, really helps the situation. So if there is no incident response plan, walking a client through those steps obviously in a very short period of time – given the urgency of the situation – is key. One other thing on that real quickly is not every situation is as urgent as it might sound. We hear data breach and everyone immediately freaks out. But if you were to read a story on the newspaper or the ten o’clock news about how some masked men went into a bank and accessed the vaults but left with nothing. It wouldn’t be as serious if they had taken ten million dollars. In the former example, there the real focus is how did it happen, how do we prevent it from happening. But again, there was no harm and no need to notify any account holders. So a lot of it depends upon very quickly ascertaining the severity of the incident, what happened and who’s affected.

John W. Simek: Great. Well, before we move onto the next segment, let’s take a quick commercial break.

John W. Simek: This is normally the spot in our show where we hear words from our sponsors. This potentially represents a unique opportunity for you. Digital Detectives is seeking sponsors. You can hear your advertisement right here. If you’re interested, contact the team at Legal Talk Network at [email protected].

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is, Law Firms Begin Forming Data Breach Practice Groups. Our guest is Martin Tully, a partner with the Chicago office of Akerman LLP, who is the co chair of Akerman’s data law practice group. Martin, do you think we’re seeing so many data breaches because security’s poor or because it’s hard to defend against a sophisticated attack no matter how much money and time you’ve dumped into your defenses or is it some combination?

Martin T. Tully: Sharon, it’s a combination and then some. Number one, you’re finding situations where organizations just don’t have the security protocols in place, whether it’s technologically or procedurally or policy-wise. And that leads to problems because they’re just not very secure in either their technological parameters, their firewalls or their practices. In other instances, yes, you are absolutely seeing more and more sophisticated attacks and a growing network of targets. I’m reminded of a few years ago when I believe a representative of the Department of Justice spoke to a room full of lawyers and said that the new number one target of hackers will wide with law firms. The reason being is that the hackers had realized that a lot of the principle targets, financial institutions and what not, had hardened their security and making it more difficult to be hacked. But these same institutions were ultimately and freely sharing information – sensitive information – with their accountants, their lawyers and consultants. And the hackers were quickly figuring out that the latter group of organizations were much softer and easier targets. So the message to the audience was law firms beware, you need to harden your targets as well and increase your security. There’s one piece that you mentioned that I think there’s really no way around and that is the human element. No matter how much security you put into place, there’s always someone within the organization that can unravel the entire tapestry. And some of the high profile data breaches that we’ve read about in the last few years involved a distinctly human element that adds some different choices really could’ve prevented the breach that took breach. The other thing – just going back to the sophistication of the attacks – is the strong desire to access this information. I mentioned earlier, the bank robbery example. Data is the new currency, whether it’s personal information, identity information, financial information. It reminds me of the 1930’s bank robbery movies when the vehicle would pull up to the bank and the tommy guns would blare and the masked men would run inside and run out with money. That doesn’t happen anymore so much but with data being the new currency, you’re seeing it happening more and more in cyberspace.

John W. Simek: Martin, can you talk a little more detail about how important incident response plans are and what should be included within them?

Martin T. Tully: Absolutely. They are indispensable. Number one most critical thing is to have an incident response plan. I’m reminded of the National Fire Protection Association’s plan, Not To Burn campaign, which basically at the household level told homeowners and families that you need to have a plan for what happens if you wake up in the middle of the night and you smell smoke and the living room’s on fire. How are you going to get out, who are you going to meet? Who is going to do what in the event of that kind of emergency to make sure that everybody gets out safely. That’s a metaphor for what a good incident response plan needs to be is number one, it’s the old cliche of failing the plan is planning to fail. But part of that is also making sure that you have identified who needs to be involved in the exercise. Not just the exercise of responding to an incident, but involving the exercise of coming up with the incident response plan in the first place. Like information governance and like ediscovery, it’s very important to bring together the different functions within the organization to make sure everybody knows what their role is in the event of an incident. Obviously IT is important, public relations, corporate communications can be involved, the chief information officer, executive staff, in-house legal, outside legal, and other functions within the organization need to come together in the time of the response to make sure that they all know their place, know their role, and what it is that they’re supposed to do. An incident response plan in general should cover a number of things, and I would say that those should include but are not limited to number one, what is your method by which to monitor or detect an intrusion or a breach. And in this instance, I’m talking the situation where there’s an external attack upon an organization’s systems or an intrusion of some sort. But it can also be, in other context as mentioned, some leading unencrypted laptop in the back of a New York taxicab. It may not be that kind of intrusion. But what is the process for identifying that incident? How do you know when or where it’s happened? Number two is defining what is an incident, and this goes into the discussion of what is an incident, should be defined in the plan, and there should be some pre existing methodology by which to determine the severity level of the incident which then will dictate what steps may have to be taken. Reporting should be covered. Reporting of the incident to who, internally and externally is necessary. When does it need to be reported. Again, going back with severity level, is it an urgent issue or is it a non urgent issue for the organization? A plan should also cover what preservation or forensic analysis plan there should be for determining what happened and preserving the evidence to be able to conduct a proper analysis. And if necessary, prosecute a claim or even court date with the authorities. Speaking of authorities, the plan should also touch upon who had the authority to act. This goes back to the composition of the incident response team. And the incident response team that gets pulled together in the event of a data breach should be identified in advance and everyone given their particular role for what they’re going to do in that eventuality. It should discuss what actions should be taken. Again, reporting, for example, depends upon the type of intrusion and what type of data is involved. Is it personal health information? Are there HIPAA reporting requirements? Those are questions that should be spelled out in the plan with direction given. Oversight should be covered with respect to who is going to be overseeing the efforts of the incident response team. Documentation of everything that is done to the process is also critical, including things that are done at the IT level in terms of logging steps that are taken to determine what happened. Compliance with the plan is also key, which is why it should be tested periodically to make sure that it is working. And another reason to audit and test the plan periodically is to determine whether or not changes not to be made to the plan based on changed circumstances or functions within the organization. So they’re just the two things.

Sharon D. Nelson: That was a brilliant summary and you segwayed beautiful into my next question which is about testing the plan itself. So how do clients protect themselves better by doing simulated data breach exercises and tell use how you would actually go about performing that exercise.

Martin T. Tully: Sure, and to put this into a little bit of a different context, in the municipal environment, there is something called an emergency response plan where a municipality, a city or a village or a town will simulate a disaster of some sort. A tornado, a major fire, a tank cart derailment in the middle of the town. Who would do what in the event of that type of an exercise. And municipalities periodically will run what they call tabletop exercises bringing together the police chief, the fire chief, the head of public works, the village manager, the city manager, as well as other key people. And they will literally come into an emergency operations center with a scenario that has not been previously disclosed and will run through it if something has happened. And literally everyone in the room will go through, in this eventuality, “I would do this.” If they needed to contact the federal office of such and such, that person would do this; crowd control, evacuation, whatever it might be. Very similar exercises are starting to be done by companies in respect to incident response plans and data breach. Once a plan is put together and vetted and approved by a company, they’ll go through exercises where they literally will do something very similar. All the members of the incident response team will go to a situation room and walk through a scenario that was not previously disclosed. It can either be a system intrusion or the example I keep mentioning where the chief financial officer’s laptop was left in the back of a cab and everyone would walk through with their given role what they were to do in that situation. These tabletop exercises will often include members of the response team such as outside vendors who may need to do the forensic analysis or preservation of information and evidence necessary to analyze what happened and what to do about it going forward. It may also involve representatives from the outside law firm representing the client in terms of compliance and notification issues. And literally in the tabletop exercise, everyone would walk through what they would do if such an event had actually happened. So even though it’s a test and only a test, and you would be notified of where to go for further information if there was a real emergency, these kinds of exercises are really critical for reminding people what their role is and it serves as a training function. But it also tests the plan and you can figure out if there are gaps in your plan that need to be addressed before the real thing happens.

John W. Simek: Well Martin, we’re almost out of time here and you kind of touched on this a little bit about the law firms. But notoriously, law firms, they’ve done a pretty poor job in protecting their own data. What sort of changes have you seen in that arena and what’s driving those changes?

Martin T. Tully: You’re right. There’s an old saying about the cobbler’s children having those shoes. And sometimes lawyers and law firms can be the worst at following their own advice. What I’m seeing is more and more law firms looking introspectively with respect to their own data security policies and getting better at practicing what they preach. Law firms in particular have two challenges. One, they not only have the information and data for their own organization and just like any organization that they need to be mindful of, employee information, et cetera, et cetera. But then they also have custody of and the ethical obligation to protect information data of their clients. So there’s a twofold obligation for law firms, and that’s important for a very good reason. We’re seeing that more clients, whether they’re financial services companies or whether they’re companies in the healthcare space are requiring security audits of their law firms. Remember the comment i made earlier about the Department of Justice saying that law firms were a soft underbelly for hackers? More and more clients are demanding that their law firms demonstrate a certain level of security and that they follow certain practices that are at least as equivalent as the clients they serve in order to keep doing business for them. So law firms I think, number one, are more cognizant of their need as an organization, separate in part from being a law firm to be more compliant with best practices in data security and data privacy. But also the demands of the clients are really driving this even further. I think this is a good experience on many levels because it makes us, as lawyers, better equipped to add value to our own clients. And it’s something that at Akerman, we’ve gone through this process and revisited this process periodically for all the reason that I just mentioned. It makes good sense and it makes us better able to add value to our clients.

Sharon D. Nelson: I’ll tell you, as a data security company ourselves, that’s what we are always doing is revisiting our own security because it is the cobbler’s children all over again. I want to thank you a lot, Martin, for joining us today as our guest. I think you managed to pack sixty minutes of information into twenty five. I know a lot of people who maybe were not so familiar with this subject that they really will have learned a lot from today. So again, thank you for being our guest, you were terrific.

Martin T. Tully: Well John and Sharon, thank you so much for having me. It was really a delight and I appreciate it very much.

John W. Simek: Well that does it for this edition of Digital Detectives; and remember, you can subscribe to all of the editions of this podcasts at LegalTalkNetwork.com, or in iTunes. if you enjoyed this podcast, please review us on iTunes.

Sharon D. Nelson: And you could find out more about Sensei’s digital forensics, technology and security services at www.senseient.com. We’ll see you next time on Digital Detectives.Advertiser: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on LegalTalkNetwork.com and in iTunes.